0

This question is an extension in some ways of this one: Exchange 2007 server send out spam

We're running Exchange 2007. We have an end user who received an Exchange bounce back (generating server is ours) saying she sent to too many recipients (our policy only allows accounts to send to 30 recipients or so by default). The kickback message shows:

richard72212@gmail.com<mailto:richard72212@gmail.com> This message has too many recipients. Microsoft Exchange will not try to redeliver this message for you. Please try resending with fewer recipients, or provide the following diagnostic text to your system administrator.

Lenholden007@hotmail.com<mailto:Lenholden007@hotmail.com> This message has too many recipients. Microsoft Exchange will not try to redeliver this message for you. Please try resending with fewer recipients, or provide the following diagnostic text to your system administrator. etc...

Good! I'm glad that the recipient filter stopped it! Our exchange server is not an open relay, and I see the message in the Exchange Management Console Message Tracking Tool. I opened the User's mailbox in Outlook 2010 on my machine, and the SPAM message is in her Sent box.

My guess at this point (hat tip to the other SF question above), is that we have an infected client machine. I see that there is a "Client IP" field in message tracking, but it's mostly filled with our mail server's IP. My question is - can I use the exchange message tracking logs to find the IP or host name of the message origination point?

Thanks for any help or pointers! I'll be happy to update with any requested information.

Update - After the first report of this (earlier this week), I had the user change her password. It has happened again since the password change.

Community
  • 1
SteadH
  • 666
  • 3
  • 16
  • 33
  • "I opened the User's mailbox in Outlook 2010, and the SPAM message is in her Sent box" - I'd say you found the culprit already. Good work. Case closed. – joeqwerty Nov 14 '13 at 20:43
  • Well, it's one step. I'm looking for the origin now. She could have been on any computer on campus, so I'm trying to find where the infection might be. Thanks! – SteadH Nov 14 '13 at 20:47
  • Might not be an infected machine, depending on outside access to mail being available the offending account might just have a weak password. – Cory J Nov 14 '13 at 20:52
  • Also, there isn't really a question here, maybe sum it up in a question. – Cory J Nov 14 '13 at 20:52
  • Cory - question is in next to last paragraph - "My question is - can I use the exchange message tracking logs to find the IP or host name of the message origination point?" – SteadH Nov 14 '13 at 20:54
  • Cory - I added password info. That was my first guess, and I had her change it. She's had one more SPAM incident/rejection message since the password change. Thanks! – SteadH Nov 14 '13 at 20:55
  • You must be using the Tracking Log Explorer. The Message Tracking tool doesn't show the client ip address (that I'm aware of). Unless the user connects via POP/SMTP you're not going to see their client ip address in the Tracking Log Explorer. – joeqwerty Nov 14 '13 at 21:06
  • Interesting! Thanks Joe. Is there any other method of determining the ip for the originating client? – SteadH Nov 14 '13 at 21:55

1 Answers1

0

From here: http://support.microsoft.com/kb/2292750

It might not be that simple though. As the user might be logged in from various devices (Outlook client and iPhone for example).

Since it appears to be happening often enough, you may consider disabling her ability to use Activesync and OWA and then ask her to only use "x computer" and then see if it happens again anytime soon.

That's the best I've got.

TheCleaner
  • 32,627
  • 26
  • 132
  • 191